Re: Security implications of large CGD?

On Tue, Apr 30, 2013 at 02:09:40PM +0000, Taylor R Campbell wrote:
> Date: Sun, 28 Apr 2013 14:48:05 +0200
> From: Jimmy Johansson <jimmy%Update.UU.SE@localhost>
>
> I'm about to create a CGD volume larger than 1 TB.
>
> I seem to remember reading something about OpenBSD and their full disk
> encryption several years ago and that you should not create a
> volume larger than 1 TB with their scheme. If I remember correctly it
> was due to implementation limitations, but then again I don't trust my
> memory any more.
>
> Or are there any problems overall with a volume larger than 1 TB
> encrypted with aes-cbc and 256 b key that a layperson like me can't
> see? I mean I'm neither a cryptographer nor a mathematician...
>
> Cryptographers recommend[*] avoiding using a 128-bit block cipher with
> a single key to encrypt more than 2^32 blocks = 2^40 bytes = 1 TB.
> This is to render negligible an attacker's probability of success at
> using the birthday paradox to distinguish your ciphertext, which will
> have no collisions, from random data, which is expected to have a
> collision after 2^64 blocks.
>
> To avoid this, you could break up your disk into parts encrypted with
> different keys and combine the parts using ccd or raid.
>
> (OpenBSD has it much worse off, because their disk encryption supports
> only the 64-bit block cipher Blowfish. I wonder whether cgd(4) ought
> to reject attempts to configure >1 TB (and much smaller for Blowfish
> and 3DES), until perhaps we add support for a wider-block cipher.)
>
> [*] E.g., <http://www.ietf.org/rfc/rfc4434.txt>.
Thanks for the answer. Will keep this in mind when setting things up.
Regards,
Jimmy
--
If you don't shoot the bearers of bad news, people will keep bringing it to you.